[Forensics-changes] [yara] 207/368: Adding Mac support for process iterator

Hilko Bengen bengen at moszumanska.debian.org
Sat Jul 1 10:30:40 UTC 2017 

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.5.0
in repository yara.

commit c1b79ae24da98ebab46fc2ff81993401dcbe56e2
Author: Kyle Reed <kallanreed at outlook.com>
Date:   Sun Feb 28 18:51:18 2016 -0800

    Adding Mac support for process iterator
    
    Signed-off-by: Kyle Reed <kallanreed at outlook.com>
---
 libyara/proc.c | 141 ++++++++++++++++++++++++++++-----------------------------
 1 file changed, 70 insertions(+), 71 deletions(-)

diff --git a/libyara/proc.c b/libyara/proc.c
index fd2c87a..dde0acd 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -88,8 +88,6 @@ int _yr_get_process_blocks(
   {
     if (mbi.State == MEM_COMMIT && ((mbi.Protect & PAGE_NOACCESS) == 0)) // TODO: check for read permission?
     {
-      // TODO: test read so we don't return blocks that can't be read?
-
       new_block = (YR_MEMORY_BLOCK*)yr_malloc(sizeof(YR_MEMORY_BLOCK));
 
       if (new_block == NULL)
@@ -185,57 +183,45 @@ int _yr_read_process_block(
 
 int _yr_attach_process(
   int pid,
-  void** hProcess)
+  void** context)
 {
+  *context = NULL;
+
+  if (task_for_pid(mach_task_self(), pid, *context) != KERN_SUCCESS)
+    return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
+
   return ERROR_SUCCESS;
 }
 
 int _yr_detach_process(
-  void* hProcess)
+  void* pTask)
 {
+  task_t task = (task_t)context;
+
+  if (task != MACH_PORT_NULL)
+    mach_port_deallocate(mach_task_self(), task);
+
   return ERROR_SUCCESS;
 }
 
 int _yr_get_process_blocks(
-  void* hProcess,
+  void* context,
   YR_MEMORY_BLOCK** head)
 {
-  return ERROR_SUCCESS;
-}
-
-int _yr_read_process_block(
-  void* hProcess,
-  YR_MEMORY_BLOCK* block,
-  uint8_t** data)
-{
-  return ERROR_SUCCESS;
-}
+  task_t task = (task_t)context;
 
-int yr_process_get_memory(
-    pid_t pid,
-    YR_MEMORY_BLOCK** first_block)
-{
-  task_t task;
   kern_return_t kr;
-
   vm_size_t size = 0;
   vm_address_t address = 0;
   vm_region_basic_info_data_64_t info;
   mach_msg_type_number_t info_count;
   mach_port_t object;
 
-  unsigned char* data;
-
   YR_MEMORY_BLOCK* new_block;
-  YR_MEMORY_BLOCK* current_block = NULL;
-
-  *first_block = NULL;
-
-  if ((kr = task_for_pid(mach_task_self(), pid, &task)) != KERN_SUCCESS)
-    return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
-
-  do {
+  YR_MEMORY_BLOCK* current = NULL;
 
+  do
+  {
     info_count = VM_REGION_BASIC_INFO_COUNT_64;
 
     kr = vm_region_64(
@@ -243,63 +229,76 @@ int yr_process_get_memory(
         &address,
         &size,
         VM_REGION_BASIC_INFO,
-        (vm_region_info_t) &info,
+        (vm_region_info_t)&info,
         &info_count,
         &object);
 
     if (kr == KERN_SUCCESS)
     {
-      data = (unsigned char*) yr_malloc(size);
+      new_block = (YR_MEMORY_BLOCK*)yr_malloc(sizeof(YR_MEMORY_BLOCK));
 
-      if (data == NULL)
+      if (new_block == NULL)
         return ERROR_INSUFICIENT_MEMORY;
 
-      if (vm_read_overwrite(
-              task,
-              address,
-              size,
-              (vm_address_t)
-              data,
-              &size) == KERN_SUCCESS)
-      {
-        new_block = (YR_MEMORY_BLOCK*) yr_malloc(sizeof(YR_MEMORY_BLOCK));
-
-        if (new_block == NULL)
-        {
-          yr_free(data);
-          return ERROR_INSUFICIENT_MEMORY;
-        }
-
-        if (*first_block == NULL)
-          *first_block = new_block;
-
-        new_block->base = address;
-        new_block->size = size;
-        new_block->data = data;
-        new_block->next = NULL;
-
-        if (current_block != NULL)
-          current_block->next = new_block;
-
-        current_block = new_block;
-      }
-      else
-      {
-        yr_free(data);
-      }
+      new_block->base = address;
+      new_block->size = size;
+      new_block->next = NULL;
+
+      if (*head == NULL)
+        *head = new_block;
+
+      if (current != NULL)
+        current->next = new_block;
 
+      current = new_block;
       address += size;
     }
 
-
   } while (kr != KERN_INVALID_ADDRESS);
 
-  if (task != MACH_PORT_NULL)
-    mach_port_deallocate(mach_task_self(), task);
-
   return ERROR_SUCCESS;
 }
 
+int _yr_read_process_block(
+  void* context,
+  YR_MEMORY_BLOCK* block,
+  uint8_t** data)
+{
+  task_t task = (task_t)context;
+
+  int result = ERROR_SUCCESS;
+  uint8_t* buffer;
+  vm_size_t size = block->size;
+  *data = NULL;
+
+  buffer = (uint8_t*)yr_malloc(size);
+
+  if (buffer == NULL)
+    return ERROR_INSUFICIENT_MEMORY;
+
+  if (vm_read_overwrite(
+      task,
+      block->base,
+      block->size,
+      buffer,
+      &size) != KERN_SUCCESS)
+  {
+    result = ERROR_COULD_NOT_READ_PROCESS_MEMORY;
+
+    if (buffer != NULL)
+    {
+      yr_free(buffer);
+      buffer = NULL;
+    }
+  }
+
+  // TODO: compare read with block size
+  // it would be bad to assume block size bytes were read
+  *data = buffer;
+
+  return result;
+}
+
 #else
 
 #include <errno.h>

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git

More information about the forensics-changes mailing list